Changing the whistleblower-retaliation culture

When an employee notices a major threat to the business' cybersecurity, you would think the company would want to hear about it. But more often than not, these whistleblowers suffer retaliation from their own employers.

If you've spent any time reading or watching the news this year, you've heard about at least one major data breach. Not only do those headline-grabbing events damage the company's reputation, they also put clients and customers at risk, because their data can easily get into the hands of the public.

In the wake of these incidents, you would think companies would appreciate a heads-up before a cyber-security threat becomes a reality. However, that's not always the case. Internal whistleblowers often face retaliation from the company they were trying to protect. Many times employees aren't even aware of the legal protections offered to them if they become a whistleblower.

Debra Katz, a founding partner of Katz, Marshall & Banks has represented a number of clients who have faced direct retaliation from their own employer after bringing a cybersecurity issue to the forefront. "What we see often is that when employees write long memos or long emails where they detail the problems, they get told right at that juncture, to not be stupid and not write stuff down. So almost from the very beginning, employees in these roles can be hammered just for reporting the problem, and trying to document the issue to get it on the screen of the company so the company allocates the necessary resources." This is especially true for employees who work closely with cybersecurity; they often feel as though they are a walking target, with the business viewing them as a threat, rather than an ally.

"It is an environment where people who work in this sector really have a lot of legal protection, they also operate with a target on their back and companies have to be sensitive to this," says Katz.

Cybersecurity threats can also be associated with fraud, where a business might simply understate potential threats to business partners and clients. For example, an employee may find a number of vulnerabilities, but is denied the resources to bring the systems up to date.

But if a company ignores internal whistleblowers, it could lead to even more problems, especially if that employee takes their concerns to the SEC, which has a whistleblower program through the Dodd-Frank Wall Street Reform and Consumer Protection Act. Through this program, whistleblowers are incentivized to come forward by receiving 10 to 30 percent of the fines the SEC imposes on companies.

These acts also offer protection to whistleblowers who work for publicly traded companies, and in addition to the Dodd-Frank Act, there is the Sarbanes-Oxley Act, which both pertain to company fraud. In addition to these two acts, state statues protect employees when it comes to reporting fraudulent business practices and potential for sensitive data breaches. And for those working at private companies, if workers find their employer is misrepresenting themselves to a publicly traded company, they are also granted protections under the same acts.

Why would a company risk backlash for punishing an employee who was simply trying to do the right thing and ultimately help the business? Generally, an executive would most likely prefer the whistleblower be wrong in his or her assessment of the cybersecurity practices of a business. Rather than fundamentally change how the business protects its data, clients and assets, executives would rather stick with the status quo. The problem is, what worked in cybersecurity five or 10 years ago, most likely doesn't hold up today, since technology is rapidly evolving.

Ultimately, Katz notes that companies that choose to ignore cybersecurity threats and don't take a proactive approach to scan their systems for vulnerabilities, will wind up paying more in the end. When considering the cost of legal fees, hiring people to help fix the issues, SEC fines, the loss of customers, and the damage to a company's reputation, it greatly outweighs the cost of proactive resources businesses could invest to maintain secure cybersecurity system and patch and flaws.

For example, Target's breach in 2013 cost the company $264 million in direct expenses and Home Depot estimates that its 2004 breach cost the company $62 million dollars, not including the legal fees for the 44 lawsuits brought upon the company, according to Katz. The Ponemon Institute released a report earlier this year that states the average cost for a data breach for any company, big or small, is $3.8 million, which means small businesses aren't immune to the staggering cost of cybersecurity threats either. For the healthcare industry, which handles some of the most sensitive client data, Ponemon reports the average cost per stolen record is $363.

For employees, it's important to understand your rights when it comes to reporting ethical issues with your company. "If someone feels they are vulnerable to this retaliation they need to keep a comprehensive log documenting their efforts to raise the issues and the response that they got when they tried to raise these issues," says Katz. And while plenty of companies have ethics hotlines and 800 numbers to call, Katz says it's not always the safest avenue for employees to reach out. In reality, ensuring employee's safety when it comes to whistleblowing, businesses need to create an environment that reassures its workers that they can present questions and concerns around security threats.

Ensuring your business doesn't fall victim to the crippling losses inflicted by cybersecurity breaches starts with a zero-tolerance policy against retaliation, according to Katz. "They should be doing everything possible to really provide the resources and support for these people to effectively do their jobs," she says, "And companies need to understand that obviously it's crucial to their business to not have these kind of breaches, but they also face significant legal liabilities from the whistleblowers themselves."

This story, "Changing the whistleblower-retaliation culture" was originally published by
CIO.